Overview

OpenShift Enterprise provides an
authentication
provider for use with Lightweight Directory Access Protocol (LDAP) setups, but
it can only connect to a single LDAP server. This can be problematic if that
LDAP server becomes unavailable. System Security Services Daemon (SSSD) can be
used to solve the issue.

Originally designed to manage local and remote authentication to the host
operating system, SSSD can now be configured to provide identity,
authentication, and authorization services to web services like OpenShift Enterprise.
SSSD provides advantages over the built-in LDAP provider, including the ability
to connect to any number of failover LDAP servers, as well as the ability to
cache authentication attempts in case it can no longer reach any of those
servers.

The setup for this configuration is advanced and requires a separate
authentication server (also called an authenticating proxy) for
OpenShift Enterprise to communicate with. This topic describes how to do this setup
on a dedicated physical or virtual machine (VM), but the concepts are also
applicable to a setup in a container.

Prerequisites for Authenticating Proxy Setup

Before starting setup, you need to know the following information about your
LDAP server.

Whether the directory server is powered by
FreeIPA, Active Directory, or another
LDAP solution.

Whether the LDAP server corresponds to RFC 2307 or RFC2307bis for user groups.

Prepare the VMs:

proxy.example.com: A VM to use as the authenticating proxy. This machine must
have at least SSSD 1.12.0 available, which means a fairly recent operating
system. This topic uses a Red Hat Enterprise Linux 7.2 server for its examples.

openshift.example.com: A VM to use to run OpenShift Enterprise.

These VMs can be configured to run on the same system, but for the examples used
in this topic they are kept separate.

Phase 1: Certificate Generation

To ensure that communication between the authenticating proxy and
OpenShift Enterprise is trustworthy, create a set of Transport Layer Security (TLS)
certificates to use during the other phases of this setup. In the
OpenShift Enterprise system, start by using the auto-generated certificates created
as part of running:

Ensure that any host names and interface IP addresses that need to access the
proxy are listed. Otherwise, the HTTPS connection will fail.

Generate the API client certificate that the authenticating proxy will use
to prove its identity to OpenShift Enterprise. This is necessary and prevents
malicious users from impersonating the proxy and sending fake identities.

If you want to use SSSD to manage failover situations for LDAP, this can be
configured by adding additional entries in /etc/sssd/sssd.conf on the
ldap_uri line. Systems enrolled with FreeIPA can automatically handle
failover using DNS SRV records.